SureCloud’s Cybersecurity Practice Director, Luke Potter, explains how standard penetration testing models leave customers in the dark, and what can be done to improve support after exposing an organisation’s vulnerabilities.
Penetration testing (Pen Testing) is a valuable service that informs companies about vulnerabilities in their systems, applications, and processes. As organisations adopt an increasing number of cloud solutions and services, and as cyber-attacks rise, the demand for pen testing is set to rise at a compound annual growth rate (CAGR) of 13.9% over the next ten years.
This is partly driven by the continued threat of data breaches, which are becoming more numerous and severe, attracting the public’s outrage with companies who aren’t careful with data. Pentesting is, therefore, becoming ever more critical to businesses. GDPR officially came into force in May 2018, introducing potential fines of up to €20m*for those that fail to protect their customers’ data, it’s likely that more organisations will be turning to pen testing to help them achieve maximum security for their data.
However, while there is a growing demand for pen testing, it is critical that organisations ensure they work with providers that utilise the latest methods to ensure optimal effectiveness.
Today’s way – Pentesting results delivered in a PDF report
Currently, most organisations tend to procure penetration testing on a one-off or annual basis. It’s then performed by a vendor and results are delivered in a static report on the organisation’s vulnerabilities. The organisation is then responsible for interpreting the results and enacting changes based on the recommendations provided. Managing the remediation process this way is not only inefficient, but it’s ineffective and can lead to errors, wasted time, and unresolved issues.
After a pen test is complete, most testing providers leave their customers with a PDF that is potentially hundreds of pages long. They will be given a list of things to resolve but extracting a to-do list from the report ends up in cutting and pasting information, putting it into emails, annotating it, and trying to create spreadsheets out of the information provided in the report. As such, tracking what you’ve fixed and what you haven’t is particularly difficult.
Revolutionising the Pentesting – Pentest-as-a-Service
A better model, on the other hand, can be achieved when providers offer pentest-as-a-service (PTaaS). The scope of this could operate as a 12-month based engagement in which the vendor performs penetration tests as required and delivers the results in an interactive cloud-based platform, providing ongoing support throughout the remediation cycle. This allows the customer to focus on where their work starts rather than where the Pentesters’ work finishes.
The ideal Platform will enable customers to manage their entire remediation process, extract customised reports of the vulnerability data, assign vulnerabilities to individuals or teams for resolution, and collaborate with other teams or individuals within the system. It would be provided in an accessible format, with continued support from your Pen Testing team to help interpret any nuance of the report or general guidance around cybersecurity best practice.
Why should organisations adopt the Pentest-as-a-Service model?
This subscriber-based model is much more cost-effective than the traditional one. Instead of conducting the remediation process on your own, the new pentest-as-a-service model offers direct access to your cybersecurity experts, who identified your vulnerabilities. This helps your organisation’s IT team manage remediation efficiently and effectively, leaving you more secure.
Also, PTaaS provides the flexibility and scalability demanded by businesses that may also require more Pen Testing than they once did. Previously, when organisations’ IT was more static, and applications and hardware were deployed less frequently, a single annual test on a business’ networks or applications was adequate.
However, with IT now more dynamic and constantly changing, the typical organisation now deploys more new applications than they used to, all of which comes with the increased risk of inadvertently introducing a new vulnerability. The ‘annual’ penetration test cannot keep up with the pace of business change, whereas, in contrast, PTaaS provides the scope for conducting multiple tests throughout the year.
Furthermore, the PTaaS model provides these reports in an interactive Platform rather than a static report, enabling each vulnerability to be addressed much more effectively. This removes the need for data to be extracted to track and manage remediation, ensuring that issues are not missed or overlooked as businesses handle multiple reports.
With the increasing reliance on Pen Testing, it’s clear that current models can no longer deliver the level of assurance in security as they once did. What’s needed is a service that not only exposes organisations’ vulnerabilities but helps them patch them up effectively and efficiently.
*or up to 4% of annual turnover, whichever is greater.
About Luke Potter
Luke oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognised cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.
SureCloud provides Cybersecurity services, and cloud-based, Governance, Risk and Compliance products, which reinvent the way you manage risk. SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test lifecycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (utilizing a highly configurable technology platform ), SureCloud acts as an extension of your in-house security team. Ensuring you have everything you need to improve your risk posture.